1 //===- Miscompilation.cpp - Debug program miscompilations -----------------===//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This file implements optimizer and code generation miscompilation debugging
11 // support.
12 //
13 //===----------------------------------------------------------------------===//
14
15 #include "BugDriver.h"
16 #include "ListReducer.h"
17 #include "ToolRunner.h"
18 #include "llvm/Constants.h"
19 #include "llvm/DerivedTypes.h"
20 #include "llvm/Instructions.h"
21 #include "llvm/Linker.h"
22 #include "llvm/Module.h"
23 #include "llvm/Pass.h"
24 #include "llvm/Analysis/Verifier.h"
25 #include "llvm/Transforms/Utils/Cloning.h"
26 #include "llvm/Support/CommandLine.h"
27 #include "llvm/Support/FileUtilities.h"
28 #include "llvm/Config/config.h" // for HAVE_LINK_R
29 using namespace llvm;
30
31 namespace llvm {
32 extern cl::opt<std::string> OutputPrefix;
33 extern cl::list<std::string> InputArgv;
34 }
35
36 namespace {
37 static llvm::cl::opt<bool>
38 DisableLoopExtraction("disable-loop-extraction",
39 cl::desc("Don't extract loops when searching for miscompilations"),
40 cl::init(false));
41 static llvm::cl::opt<bool>
42 DisableBlockExtraction("disable-block-extraction",
43 cl::desc("Don't extract blocks when searching for miscompilations"),
44 cl::init(false));
45
46 class ReduceMiscompilingPasses : public ListReducer<std::string> {
47 BugDriver &BD;
48 public:
ReduceMiscompilingPasses(BugDriver & bd)49 ReduceMiscompilingPasses(BugDriver &bd) : BD(bd) {}
50
51 virtual TestResult doTest(std::vector<std::string> &Prefix,
52 std::vector<std::string> &Suffix,
53 std::string &Error);
54 };
55 }
56
57 /// TestResult - After passes have been split into a test group and a control
58 /// group, see if they still break the program.
59 ///
60 ReduceMiscompilingPasses::TestResult
doTest(std::vector<std::string> & Prefix,std::vector<std::string> & Suffix,std::string & Error)61 ReduceMiscompilingPasses::doTest(std::vector<std::string> &Prefix,
62 std::vector<std::string> &Suffix,
63 std::string &Error) {
64 // First, run the program with just the Suffix passes. If it is still broken
65 // with JUST the kept passes, discard the prefix passes.
66 outs() << "Checking to see if '" << getPassesString(Suffix)
67 << "' compiles correctly: ";
68
69 std::string BitcodeResult;
70 if (BD.runPasses(BD.getProgram(), Suffix, BitcodeResult, false/*delete*/,
71 true/*quiet*/)) {
72 errs() << " Error running this sequence of passes"
73 << " on the input program!\n";
74 BD.setPassesToRun(Suffix);
75 BD.EmitProgressBitcode(BD.getProgram(), "pass-error", false);
76 exit(BD.debugOptimizerCrash());
77 }
78
79 // Check to see if the finished program matches the reference output...
80 bool Diff = BD.diffProgram(BD.getProgram(), BitcodeResult, "",
81 true /*delete bitcode*/, &Error);
82 if (!Error.empty())
83 return InternalError;
84 if (Diff) {
85 outs() << " nope.\n";
86 if (Suffix.empty()) {
87 errs() << BD.getToolName() << ": I'm confused: the test fails when "
88 << "no passes are run, nondeterministic program?\n";
89 exit(1);
90 }
91 return KeepSuffix; // Miscompilation detected!
92 }
93 outs() << " yup.\n"; // No miscompilation!
94
95 if (Prefix.empty()) return NoFailure;
96
97 // Next, see if the program is broken if we run the "prefix" passes first,
98 // then separately run the "kept" passes.
99 outs() << "Checking to see if '" << getPassesString(Prefix)
100 << "' compiles correctly: ";
101
102 // If it is not broken with the kept passes, it's possible that the prefix
103 // passes must be run before the kept passes to break it. If the program
104 // WORKS after the prefix passes, but then fails if running the prefix AND
105 // kept passes, we can update our bitcode file to include the result of the
106 // prefix passes, then discard the prefix passes.
107 //
108 if (BD.runPasses(BD.getProgram(), Prefix, BitcodeResult, false/*delete*/,
109 true/*quiet*/)) {
110 errs() << " Error running this sequence of passes"
111 << " on the input program!\n";
112 BD.setPassesToRun(Prefix);
113 BD.EmitProgressBitcode(BD.getProgram(), "pass-error", false);
114 exit(BD.debugOptimizerCrash());
115 }
116
117 // If the prefix maintains the predicate by itself, only keep the prefix!
118 Diff = BD.diffProgram(BD.getProgram(), BitcodeResult, "", false, &Error);
119 if (!Error.empty())
120 return InternalError;
121 if (Diff) {
122 outs() << " nope.\n";
123 sys::Path(BitcodeResult).eraseFromDisk();
124 return KeepPrefix;
125 }
126 outs() << " yup.\n"; // No miscompilation!
127
128 // Ok, so now we know that the prefix passes work, try running the suffix
129 // passes on the result of the prefix passes.
130 //
131 OwningPtr<Module> PrefixOutput(ParseInputFile(BitcodeResult,
132 BD.getContext()));
133 if (PrefixOutput == 0) {
134 errs() << BD.getToolName() << ": Error reading bitcode file '"
135 << BitcodeResult << "'!\n";
136 exit(1);
137 }
138 sys::Path(BitcodeResult).eraseFromDisk(); // No longer need the file on disk
139
140 // Don't check if there are no passes in the suffix.
141 if (Suffix.empty())
142 return NoFailure;
143
144 outs() << "Checking to see if '" << getPassesString(Suffix)
145 << "' passes compile correctly after the '"
146 << getPassesString(Prefix) << "' passes: ";
147
148 OwningPtr<Module> OriginalInput(BD.swapProgramIn(PrefixOutput.take()));
149 if (BD.runPasses(BD.getProgram(), Suffix, BitcodeResult, false/*delete*/,
150 true/*quiet*/)) {
151 errs() << " Error running this sequence of passes"
152 << " on the input program!\n";
153 BD.setPassesToRun(Suffix);
154 BD.EmitProgressBitcode(BD.getProgram(), "pass-error", false);
155 exit(BD.debugOptimizerCrash());
156 }
157
158 // Run the result...
159 Diff = BD.diffProgram(BD.getProgram(), BitcodeResult, "",
160 true /*delete bitcode*/, &Error);
161 if (!Error.empty())
162 return InternalError;
163 if (Diff) {
164 outs() << " nope.\n";
165 return KeepSuffix;
166 }
167
168 // Otherwise, we must not be running the bad pass anymore.
169 outs() << " yup.\n"; // No miscompilation!
170 // Restore orig program & free test.
171 delete BD.swapProgramIn(OriginalInput.take());
172 return NoFailure;
173 }
174
175 namespace {
176 class ReduceMiscompilingFunctions : public ListReducer<Function*> {
177 BugDriver &BD;
178 bool (*TestFn)(BugDriver &, Module *, Module *, std::string &);
179 public:
ReduceMiscompilingFunctions(BugDriver & bd,bool (* F)(BugDriver &,Module *,Module *,std::string &))180 ReduceMiscompilingFunctions(BugDriver &bd,
181 bool (*F)(BugDriver &, Module *, Module *,
182 std::string &))
183 : BD(bd), TestFn(F) {}
184
doTest(std::vector<Function * > & Prefix,std::vector<Function * > & Suffix,std::string & Error)185 virtual TestResult doTest(std::vector<Function*> &Prefix,
186 std::vector<Function*> &Suffix,
187 std::string &Error) {
188 if (!Suffix.empty()) {
189 bool Ret = TestFuncs(Suffix, Error);
190 if (!Error.empty())
191 return InternalError;
192 if (Ret)
193 return KeepSuffix;
194 }
195 if (!Prefix.empty()) {
196 bool Ret = TestFuncs(Prefix, Error);
197 if (!Error.empty())
198 return InternalError;
199 if (Ret)
200 return KeepPrefix;
201 }
202 return NoFailure;
203 }
204
205 bool TestFuncs(const std::vector<Function*> &Prefix, std::string &Error);
206 };
207 }
208
209 /// TestMergedProgram - Given two modules, link them together and run the
210 /// program, checking to see if the program matches the diff. If there is
211 /// an error, return NULL. If not, return the merged module. The Broken argument
212 /// will be set to true if the output is different. If the DeleteInputs
213 /// argument is set to true then this function deletes both input
214 /// modules before it returns.
215 ///
TestMergedProgram(const BugDriver & BD,Module * M1,Module * M2,bool DeleteInputs,std::string & Error,bool & Broken)216 static Module *TestMergedProgram(const BugDriver &BD, Module *M1, Module *M2,
217 bool DeleteInputs, std::string &Error,
218 bool &Broken) {
219 // Link the two portions of the program back to together.
220 std::string ErrorMsg;
221 if (!DeleteInputs) {
222 M1 = CloneModule(M1);
223 M2 = CloneModule(M2);
224 }
225 if (Linker::LinkModules(M1, M2, Linker::DestroySource, &ErrorMsg)) {
226 errs() << BD.getToolName() << ": Error linking modules together:"
227 << ErrorMsg << '\n';
228 exit(1);
229 }
230 delete M2; // We are done with this module.
231
232 // Execute the program.
233 Broken = BD.diffProgram(M1, "", "", false, &Error);
234 if (!Error.empty()) {
235 // Delete the linked module
236 delete M1;
237 return NULL;
238 }
239 return M1;
240 }
241
242 /// TestFuncs - split functions in a Module into two groups: those that are
243 /// under consideration for miscompilation vs. those that are not, and test
244 /// accordingly. Each group of functions becomes a separate Module.
245 ///
TestFuncs(const std::vector<Function * > & Funcs,std::string & Error)246 bool ReduceMiscompilingFunctions::TestFuncs(const std::vector<Function*> &Funcs,
247 std::string &Error) {
248 // Test to see if the function is misoptimized if we ONLY run it on the
249 // functions listed in Funcs.
250 outs() << "Checking to see if the program is misoptimized when "
251 << (Funcs.size()==1 ? "this function is" : "these functions are")
252 << " run through the pass"
253 << (BD.getPassesToRun().size() == 1 ? "" : "es") << ":";
254 PrintFunctionList(Funcs);
255 outs() << '\n';
256
257 // Create a clone for two reasons:
258 // * If the optimization passes delete any function, the deleted function
259 // will be in the clone and Funcs will still point to valid memory
260 // * If the optimization passes use interprocedural information to break
261 // a function, we want to continue with the original function. Otherwise
262 // we can conclude that a function triggers the bug when in fact one
263 // needs a larger set of original functions to do so.
264 ValueToValueMapTy VMap;
265 Module *Clone = CloneModule(BD.getProgram(), VMap);
266 Module *Orig = BD.swapProgramIn(Clone);
267
268 std::vector<Function*> FuncsOnClone;
269 for (unsigned i = 0, e = Funcs.size(); i != e; ++i) {
270 Function *F = cast<Function>(VMap[Funcs[i]]);
271 FuncsOnClone.push_back(F);
272 }
273
274 // Split the module into the two halves of the program we want.
275 VMap.clear();
276 Module *ToNotOptimize = CloneModule(BD.getProgram(), VMap);
277 Module *ToOptimize = SplitFunctionsOutOfModule(ToNotOptimize, FuncsOnClone,
278 VMap);
279
280 // Run the predicate, note that the predicate will delete both input modules.
281 bool Broken = TestFn(BD, ToOptimize, ToNotOptimize, Error);
282
283 delete BD.swapProgramIn(Orig);
284
285 return Broken;
286 }
287
288 /// DisambiguateGlobalSymbols - Give anonymous global values names.
289 ///
DisambiguateGlobalSymbols(Module * M)290 static void DisambiguateGlobalSymbols(Module *M) {
291 for (Module::global_iterator I = M->global_begin(), E = M->global_end();
292 I != E; ++I)
293 if (!I->hasName())
294 I->setName("anon_global");
295 for (Module::iterator I = M->begin(), E = M->end(); I != E; ++I)
296 if (!I->hasName())
297 I->setName("anon_fn");
298 }
299
300 /// ExtractLoops - Given a reduced list of functions that still exposed the bug,
301 /// check to see if we can extract the loops in the region without obscuring the
302 /// bug. If so, it reduces the amount of code identified.
303 ///
ExtractLoops(BugDriver & BD,bool (* TestFn)(BugDriver &,Module *,Module *,std::string &),std::vector<Function * > & MiscompiledFunctions,std::string & Error)304 static bool ExtractLoops(BugDriver &BD,
305 bool (*TestFn)(BugDriver &, Module *, Module *,
306 std::string &),
307 std::vector<Function*> &MiscompiledFunctions,
308 std::string &Error) {
309 bool MadeChange = false;
310 while (1) {
311 if (BugpointIsInterrupted) return MadeChange;
312
313 ValueToValueMapTy VMap;
314 Module *ToNotOptimize = CloneModule(BD.getProgram(), VMap);
315 Module *ToOptimize = SplitFunctionsOutOfModule(ToNotOptimize,
316 MiscompiledFunctions,
317 VMap);
318 Module *ToOptimizeLoopExtracted = BD.ExtractLoop(ToOptimize);
319 if (!ToOptimizeLoopExtracted) {
320 // If the loop extractor crashed or if there were no extractible loops,
321 // then this chapter of our odyssey is over with.
322 delete ToNotOptimize;
323 delete ToOptimize;
324 return MadeChange;
325 }
326
327 errs() << "Extracted a loop from the breaking portion of the program.\n";
328
329 // Bugpoint is intentionally not very trusting of LLVM transformations. In
330 // particular, we're not going to assume that the loop extractor works, so
331 // we're going to test the newly loop extracted program to make sure nothing
332 // has broken. If something broke, then we'll inform the user and stop
333 // extraction.
334 AbstractInterpreter *AI = BD.switchToSafeInterpreter();
335 bool Failure;
336 Module *New = TestMergedProgram(BD, ToOptimizeLoopExtracted, ToNotOptimize,
337 false, Error, Failure);
338 if (!New)
339 return false;
340 // Delete the original and set the new program.
341 delete BD.swapProgramIn(New);
342 if (Failure) {
343 BD.switchToInterpreter(AI);
344
345 // Merged program doesn't work anymore!
346 errs() << " *** ERROR: Loop extraction broke the program. :("
347 << " Please report a bug!\n";
348 errs() << " Continuing on with un-loop-extracted version.\n";
349
350 BD.writeProgramToFile(OutputPrefix + "-loop-extract-fail-tno.bc",
351 ToNotOptimize);
352 BD.writeProgramToFile(OutputPrefix + "-loop-extract-fail-to.bc",
353 ToOptimize);
354 BD.writeProgramToFile(OutputPrefix + "-loop-extract-fail-to-le.bc",
355 ToOptimizeLoopExtracted);
356
357 errs() << "Please submit the "
358 << OutputPrefix << "-loop-extract-fail-*.bc files.\n";
359 delete ToOptimize;
360 delete ToNotOptimize;
361 delete ToOptimizeLoopExtracted;
362 return MadeChange;
363 }
364 delete ToOptimize;
365 BD.switchToInterpreter(AI);
366
367 outs() << " Testing after loop extraction:\n";
368 // Clone modules, the tester function will free them.
369 Module *TOLEBackup = CloneModule(ToOptimizeLoopExtracted);
370 Module *TNOBackup = CloneModule(ToNotOptimize);
371 Failure = TestFn(BD, ToOptimizeLoopExtracted, ToNotOptimize, Error);
372 if (!Error.empty())
373 return false;
374 if (!Failure) {
375 outs() << "*** Loop extraction masked the problem. Undoing.\n";
376 // If the program is not still broken, then loop extraction did something
377 // that masked the error. Stop loop extraction now.
378 delete TOLEBackup;
379 delete TNOBackup;
380 return MadeChange;
381 }
382 ToOptimizeLoopExtracted = TOLEBackup;
383 ToNotOptimize = TNOBackup;
384
385 outs() << "*** Loop extraction successful!\n";
386
387 std::vector<std::pair<std::string, FunctionType*> > MisCompFunctions;
388 for (Module::iterator I = ToOptimizeLoopExtracted->begin(),
389 E = ToOptimizeLoopExtracted->end(); I != E; ++I)
390 if (!I->isDeclaration())
391 MisCompFunctions.push_back(std::make_pair(I->getName(),
392 I->getFunctionType()));
393
394 // Okay, great! Now we know that we extracted a loop and that loop
395 // extraction both didn't break the program, and didn't mask the problem.
396 // Replace the current program with the loop extracted version, and try to
397 // extract another loop.
398 std::string ErrorMsg;
399 if (Linker::LinkModules(ToNotOptimize, ToOptimizeLoopExtracted,
400 Linker::DestroySource, &ErrorMsg)){
401 errs() << BD.getToolName() << ": Error linking modules together:"
402 << ErrorMsg << '\n';
403 exit(1);
404 }
405 delete ToOptimizeLoopExtracted;
406
407 // All of the Function*'s in the MiscompiledFunctions list are in the old
408 // module. Update this list to include all of the functions in the
409 // optimized and loop extracted module.
410 MiscompiledFunctions.clear();
411 for (unsigned i = 0, e = MisCompFunctions.size(); i != e; ++i) {
412 Function *NewF = ToNotOptimize->getFunction(MisCompFunctions[i].first);
413
414 assert(NewF && "Function not found??");
415 MiscompiledFunctions.push_back(NewF);
416 }
417
418 BD.setNewProgram(ToNotOptimize);
419 MadeChange = true;
420 }
421 }
422
423 namespace {
424 class ReduceMiscompiledBlocks : public ListReducer<BasicBlock*> {
425 BugDriver &BD;
426 bool (*TestFn)(BugDriver &, Module *, Module *, std::string &);
427 std::vector<Function*> FunctionsBeingTested;
428 public:
ReduceMiscompiledBlocks(BugDriver & bd,bool (* F)(BugDriver &,Module *,Module *,std::string &),const std::vector<Function * > & Fns)429 ReduceMiscompiledBlocks(BugDriver &bd,
430 bool (*F)(BugDriver &, Module *, Module *,
431 std::string &),
432 const std::vector<Function*> &Fns)
433 : BD(bd), TestFn(F), FunctionsBeingTested(Fns) {}
434
doTest(std::vector<BasicBlock * > & Prefix,std::vector<BasicBlock * > & Suffix,std::string & Error)435 virtual TestResult doTest(std::vector<BasicBlock*> &Prefix,
436 std::vector<BasicBlock*> &Suffix,
437 std::string &Error) {
438 if (!Suffix.empty()) {
439 bool Ret = TestFuncs(Suffix, Error);
440 if (!Error.empty())
441 return InternalError;
442 if (Ret)
443 return KeepSuffix;
444 }
445 if (!Prefix.empty()) {
446 bool Ret = TestFuncs(Prefix, Error);
447 if (!Error.empty())
448 return InternalError;
449 if (Ret)
450 return KeepPrefix;
451 }
452 return NoFailure;
453 }
454
455 bool TestFuncs(const std::vector<BasicBlock*> &BBs, std::string &Error);
456 };
457 }
458
459 /// TestFuncs - Extract all blocks for the miscompiled functions except for the
460 /// specified blocks. If the problem still exists, return true.
461 ///
TestFuncs(const std::vector<BasicBlock * > & BBs,std::string & Error)462 bool ReduceMiscompiledBlocks::TestFuncs(const std::vector<BasicBlock*> &BBs,
463 std::string &Error) {
464 // Test to see if the function is misoptimized if we ONLY run it on the
465 // functions listed in Funcs.
466 outs() << "Checking to see if the program is misoptimized when all ";
467 if (!BBs.empty()) {
468 outs() << "but these " << BBs.size() << " blocks are extracted: ";
469 for (unsigned i = 0, e = BBs.size() < 10 ? BBs.size() : 10; i != e; ++i)
470 outs() << BBs[i]->getName() << " ";
471 if (BBs.size() > 10) outs() << "...";
472 } else {
473 outs() << "blocks are extracted.";
474 }
475 outs() << '\n';
476
477 // Split the module into the two halves of the program we want.
478 ValueToValueMapTy VMap;
479 Module *Clone = CloneModule(BD.getProgram(), VMap);
480 Module *Orig = BD.swapProgramIn(Clone);
481 std::vector<Function*> FuncsOnClone;
482 std::vector<BasicBlock*> BBsOnClone;
483 for (unsigned i = 0, e = FunctionsBeingTested.size(); i != e; ++i) {
484 Function *F = cast<Function>(VMap[FunctionsBeingTested[i]]);
485 FuncsOnClone.push_back(F);
486 }
487 for (unsigned i = 0, e = BBs.size(); i != e; ++i) {
488 BasicBlock *BB = cast<BasicBlock>(VMap[BBs[i]]);
489 BBsOnClone.push_back(BB);
490 }
491 VMap.clear();
492
493 Module *ToNotOptimize = CloneModule(BD.getProgram(), VMap);
494 Module *ToOptimize = SplitFunctionsOutOfModule(ToNotOptimize,
495 FuncsOnClone,
496 VMap);
497
498 // Try the extraction. If it doesn't work, then the block extractor crashed
499 // or something, in which case bugpoint can't chase down this possibility.
500 if (Module *New = BD.ExtractMappedBlocksFromModule(BBsOnClone, ToOptimize)) {
501 delete ToOptimize;
502 // Run the predicate,
503 // note that the predicate will delete both input modules.
504 bool Ret = TestFn(BD, New, ToNotOptimize, Error);
505 delete BD.swapProgramIn(Orig);
506 return Ret;
507 }
508 delete BD.swapProgramIn(Orig);
509 delete ToOptimize;
510 delete ToNotOptimize;
511 return false;
512 }
513
514
515 /// ExtractBlocks - Given a reduced list of functions that still expose the bug,
516 /// extract as many basic blocks from the region as possible without obscuring
517 /// the bug.
518 ///
ExtractBlocks(BugDriver & BD,bool (* TestFn)(BugDriver &,Module *,Module *,std::string &),std::vector<Function * > & MiscompiledFunctions,std::string & Error)519 static bool ExtractBlocks(BugDriver &BD,
520 bool (*TestFn)(BugDriver &, Module *, Module *,
521 std::string &),
522 std::vector<Function*> &MiscompiledFunctions,
523 std::string &Error) {
524 if (BugpointIsInterrupted) return false;
525
526 std::vector<BasicBlock*> Blocks;
527 for (unsigned i = 0, e = MiscompiledFunctions.size(); i != e; ++i)
528 for (Function::iterator I = MiscompiledFunctions[i]->begin(),
529 E = MiscompiledFunctions[i]->end(); I != E; ++I)
530 Blocks.push_back(I);
531
532 // Use the list reducer to identify blocks that can be extracted without
533 // obscuring the bug. The Blocks list will end up containing blocks that must
534 // be retained from the original program.
535 unsigned OldSize = Blocks.size();
536
537 // Check to see if all blocks are extractible first.
538 bool Ret = ReduceMiscompiledBlocks(BD, TestFn, MiscompiledFunctions)
539 .TestFuncs(std::vector<BasicBlock*>(), Error);
540 if (!Error.empty())
541 return false;
542 if (Ret) {
543 Blocks.clear();
544 } else {
545 ReduceMiscompiledBlocks(BD, TestFn,
546 MiscompiledFunctions).reduceList(Blocks, Error);
547 if (!Error.empty())
548 return false;
549 if (Blocks.size() == OldSize)
550 return false;
551 }
552
553 ValueToValueMapTy VMap;
554 Module *ProgClone = CloneModule(BD.getProgram(), VMap);
555 Module *ToExtract = SplitFunctionsOutOfModule(ProgClone,
556 MiscompiledFunctions,
557 VMap);
558 Module *Extracted = BD.ExtractMappedBlocksFromModule(Blocks, ToExtract);
559 if (Extracted == 0) {
560 // Weird, extraction should have worked.
561 errs() << "Nondeterministic problem extracting blocks??\n";
562 delete ProgClone;
563 delete ToExtract;
564 return false;
565 }
566
567 // Otherwise, block extraction succeeded. Link the two program fragments back
568 // together.
569 delete ToExtract;
570
571 std::vector<std::pair<std::string, FunctionType*> > MisCompFunctions;
572 for (Module::iterator I = Extracted->begin(), E = Extracted->end();
573 I != E; ++I)
574 if (!I->isDeclaration())
575 MisCompFunctions.push_back(std::make_pair(I->getName(),
576 I->getFunctionType()));
577
578 std::string ErrorMsg;
579 if (Linker::LinkModules(ProgClone, Extracted, Linker::DestroySource,
580 &ErrorMsg)) {
581 errs() << BD.getToolName() << ": Error linking modules together:"
582 << ErrorMsg << '\n';
583 exit(1);
584 }
585 delete Extracted;
586
587 // Set the new program and delete the old one.
588 BD.setNewProgram(ProgClone);
589
590 // Update the list of miscompiled functions.
591 MiscompiledFunctions.clear();
592
593 for (unsigned i = 0, e = MisCompFunctions.size(); i != e; ++i) {
594 Function *NewF = ProgClone->getFunction(MisCompFunctions[i].first);
595 assert(NewF && "Function not found??");
596 MiscompiledFunctions.push_back(NewF);
597 }
598
599 return true;
600 }
601
602
603 /// DebugAMiscompilation - This is a generic driver to narrow down
604 /// miscompilations, either in an optimization or a code generator.
605 ///
606 static std::vector<Function*>
DebugAMiscompilation(BugDriver & BD,bool (* TestFn)(BugDriver &,Module *,Module *,std::string &),std::string & Error)607 DebugAMiscompilation(BugDriver &BD,
608 bool (*TestFn)(BugDriver &, Module *, Module *,
609 std::string &),
610 std::string &Error) {
611 // Okay, now that we have reduced the list of passes which are causing the
612 // failure, see if we can pin down which functions are being
613 // miscompiled... first build a list of all of the non-external functions in
614 // the program.
615 std::vector<Function*> MiscompiledFunctions;
616 Module *Prog = BD.getProgram();
617 for (Module::iterator I = Prog->begin(), E = Prog->end(); I != E; ++I)
618 if (!I->isDeclaration())
619 MiscompiledFunctions.push_back(I);
620
621 // Do the reduction...
622 if (!BugpointIsInterrupted)
623 ReduceMiscompilingFunctions(BD, TestFn).reduceList(MiscompiledFunctions,
624 Error);
625 if (!Error.empty()) {
626 errs() << "\n***Cannot reduce functions: ";
627 return MiscompiledFunctions;
628 }
629 outs() << "\n*** The following function"
630 << (MiscompiledFunctions.size() == 1 ? " is" : "s are")
631 << " being miscompiled: ";
632 PrintFunctionList(MiscompiledFunctions);
633 outs() << '\n';
634
635 // See if we can rip any loops out of the miscompiled functions and still
636 // trigger the problem.
637
638 if (!BugpointIsInterrupted && !DisableLoopExtraction) {
639 bool Ret = ExtractLoops(BD, TestFn, MiscompiledFunctions, Error);
640 if (!Error.empty())
641 return MiscompiledFunctions;
642 if (Ret) {
643 // Okay, we extracted some loops and the problem still appears. See if
644 // we can eliminate some of the created functions from being candidates.
645 DisambiguateGlobalSymbols(BD.getProgram());
646
647 // Do the reduction...
648 if (!BugpointIsInterrupted)
649 ReduceMiscompilingFunctions(BD, TestFn).reduceList(MiscompiledFunctions,
650 Error);
651 if (!Error.empty())
652 return MiscompiledFunctions;
653
654 outs() << "\n*** The following function"
655 << (MiscompiledFunctions.size() == 1 ? " is" : "s are")
656 << " being miscompiled: ";
657 PrintFunctionList(MiscompiledFunctions);
658 outs() << '\n';
659 }
660 }
661
662 if (!BugpointIsInterrupted && !DisableBlockExtraction) {
663 bool Ret = ExtractBlocks(BD, TestFn, MiscompiledFunctions, Error);
664 if (!Error.empty())
665 return MiscompiledFunctions;
666 if (Ret) {
667 // Okay, we extracted some blocks and the problem still appears. See if
668 // we can eliminate some of the created functions from being candidates.
669 DisambiguateGlobalSymbols(BD.getProgram());
670
671 // Do the reduction...
672 ReduceMiscompilingFunctions(BD, TestFn).reduceList(MiscompiledFunctions,
673 Error);
674 if (!Error.empty())
675 return MiscompiledFunctions;
676
677 outs() << "\n*** The following function"
678 << (MiscompiledFunctions.size() == 1 ? " is" : "s are")
679 << " being miscompiled: ";
680 PrintFunctionList(MiscompiledFunctions);
681 outs() << '\n';
682 }
683 }
684
685 return MiscompiledFunctions;
686 }
687
688 /// TestOptimizer - This is the predicate function used to check to see if the
689 /// "Test" portion of the program is misoptimized. If so, return true. In any
690 /// case, both module arguments are deleted.
691 ///
TestOptimizer(BugDriver & BD,Module * Test,Module * Safe,std::string & Error)692 static bool TestOptimizer(BugDriver &BD, Module *Test, Module *Safe,
693 std::string &Error) {
694 // Run the optimization passes on ToOptimize, producing a transformed version
695 // of the functions being tested.
696 outs() << " Optimizing functions being tested: ";
697 Module *Optimized = BD.runPassesOn(Test, BD.getPassesToRun(),
698 /*AutoDebugCrashes*/true);
699 outs() << "done.\n";
700 delete Test;
701
702 outs() << " Checking to see if the merged program executes correctly: ";
703 bool Broken;
704 Module *New = TestMergedProgram(BD, Optimized, Safe, true, Error, Broken);
705 if (New) {
706 outs() << (Broken ? " nope.\n" : " yup.\n");
707 // Delete the original and set the new program.
708 delete BD.swapProgramIn(New);
709 }
710 return Broken;
711 }
712
713
714 /// debugMiscompilation - This method is used when the passes selected are not
715 /// crashing, but the generated output is semantically different from the
716 /// input.
717 ///
debugMiscompilation(std::string * Error)718 void BugDriver::debugMiscompilation(std::string *Error) {
719 // Make sure something was miscompiled...
720 if (!BugpointIsInterrupted)
721 if (!ReduceMiscompilingPasses(*this).reduceList(PassesToRun, *Error)) {
722 if (Error->empty())
723 errs() << "*** Optimized program matches reference output! No problem"
724 << " detected...\nbugpoint can't help you with your problem!\n";
725 return;
726 }
727
728 outs() << "\n*** Found miscompiling pass"
729 << (getPassesToRun().size() == 1 ? "" : "es") << ": "
730 << getPassesString(getPassesToRun()) << '\n';
731 EmitProgressBitcode(Program, "passinput");
732
733 std::vector<Function *> MiscompiledFunctions =
734 DebugAMiscompilation(*this, TestOptimizer, *Error);
735 if (!Error->empty())
736 return;
737
738 // Output a bunch of bitcode files for the user...
739 outs() << "Outputting reduced bitcode files which expose the problem:\n";
740 ValueToValueMapTy VMap;
741 Module *ToNotOptimize = CloneModule(getProgram(), VMap);
742 Module *ToOptimize = SplitFunctionsOutOfModule(ToNotOptimize,
743 MiscompiledFunctions,
744 VMap);
745
746 outs() << " Non-optimized portion: ";
747 EmitProgressBitcode(ToNotOptimize, "tonotoptimize", true);
748 delete ToNotOptimize; // Delete hacked module.
749
750 outs() << " Portion that is input to optimizer: ";
751 EmitProgressBitcode(ToOptimize, "tooptimize");
752 delete ToOptimize; // Delete hacked module.
753
754 return;
755 }
756
757 /// CleanupAndPrepareModules - Get the specified modules ready for code
758 /// generator testing.
759 ///
CleanupAndPrepareModules(BugDriver & BD,Module * & Test,Module * Safe)760 static void CleanupAndPrepareModules(BugDriver &BD, Module *&Test,
761 Module *Safe) {
762 // Clean up the modules, removing extra cruft that we don't need anymore...
763 Test = BD.performFinalCleanups(Test);
764
765 // If we are executing the JIT, we have several nasty issues to take care of.
766 if (!BD.isExecutingJIT()) return;
767
768 // First, if the main function is in the Safe module, we must add a stub to
769 // the Test module to call into it. Thus, we create a new function `main'
770 // which just calls the old one.
771 if (Function *oldMain = Safe->getFunction("main"))
772 if (!oldMain->isDeclaration()) {
773 // Rename it
774 oldMain->setName("llvm_bugpoint_old_main");
775 // Create a NEW `main' function with same type in the test module.
776 Function *newMain = Function::Create(oldMain->getFunctionType(),
777 GlobalValue::ExternalLinkage,
778 "main", Test);
779 // Create an `oldmain' prototype in the test module, which will
780 // corresponds to the real main function in the same module.
781 Function *oldMainProto = Function::Create(oldMain->getFunctionType(),
782 GlobalValue::ExternalLinkage,
783 oldMain->getName(), Test);
784 // Set up and remember the argument list for the main function.
785 std::vector<Value*> args;
786 for (Function::arg_iterator
787 I = newMain->arg_begin(), E = newMain->arg_end(),
788 OI = oldMain->arg_begin(); I != E; ++I, ++OI) {
789 I->setName(OI->getName()); // Copy argument names from oldMain
790 args.push_back(I);
791 }
792
793 // Call the old main function and return its result
794 BasicBlock *BB = BasicBlock::Create(Safe->getContext(), "entry", newMain);
795 CallInst *call = CallInst::Create(oldMainProto, args, "", BB);
796
797 // If the type of old function wasn't void, return value of call
798 ReturnInst::Create(Safe->getContext(), call, BB);
799 }
800
801 // The second nasty issue we must deal with in the JIT is that the Safe
802 // module cannot directly reference any functions defined in the test
803 // module. Instead, we use a JIT API call to dynamically resolve the
804 // symbol.
805
806 // Add the resolver to the Safe module.
807 // Prototype: void *getPointerToNamedFunction(const char* Name)
808 Constant *resolverFunc =
809 Safe->getOrInsertFunction("getPointerToNamedFunction",
810 Type::getInt8PtrTy(Safe->getContext()),
811 Type::getInt8PtrTy(Safe->getContext()),
812 (Type *)0);
813
814 // Use the function we just added to get addresses of functions we need.
815 for (Module::iterator F = Safe->begin(), E = Safe->end(); F != E; ++F) {
816 if (F->isDeclaration() && !F->use_empty() && &*F != resolverFunc &&
817 !F->isIntrinsic() /* ignore intrinsics */) {
818 Function *TestFn = Test->getFunction(F->getName());
819
820 // Don't forward functions which are external in the test module too.
821 if (TestFn && !TestFn->isDeclaration()) {
822 // 1. Add a string constant with its name to the global file
823 Constant *InitArray =
824 ConstantDataArray::getString(F->getContext(), F->getName());
825 GlobalVariable *funcName =
826 new GlobalVariable(*Safe, InitArray->getType(), true /*isConstant*/,
827 GlobalValue::InternalLinkage, InitArray,
828 F->getName() + "_name");
829
830 // 2. Use `GetElementPtr *funcName, 0, 0' to convert the string to an
831 // sbyte* so it matches the signature of the resolver function.
832
833 // GetElementPtr *funcName, ulong 0, ulong 0
834 std::vector<Constant*> GEPargs(2,
835 Constant::getNullValue(Type::getInt32Ty(F->getContext())));
836 Value *GEP = ConstantExpr::getGetElementPtr(funcName, GEPargs);
837 std::vector<Value*> ResolverArgs;
838 ResolverArgs.push_back(GEP);
839
840 // Rewrite uses of F in global initializers, etc. to uses of a wrapper
841 // function that dynamically resolves the calls to F via our JIT API
842 if (!F->use_empty()) {
843 // Create a new global to hold the cached function pointer.
844 Constant *NullPtr = ConstantPointerNull::get(F->getType());
845 GlobalVariable *Cache =
846 new GlobalVariable(*F->getParent(), F->getType(),
847 false, GlobalValue::InternalLinkage,
848 NullPtr,F->getName()+".fpcache");
849
850 // Construct a new stub function that will re-route calls to F
851 FunctionType *FuncTy = F->getFunctionType();
852 Function *FuncWrapper = Function::Create(FuncTy,
853 GlobalValue::InternalLinkage,
854 F->getName() + "_wrapper",
855 F->getParent());
856 BasicBlock *EntryBB = BasicBlock::Create(F->getContext(),
857 "entry", FuncWrapper);
858 BasicBlock *DoCallBB = BasicBlock::Create(F->getContext(),
859 "usecache", FuncWrapper);
860 BasicBlock *LookupBB = BasicBlock::Create(F->getContext(),
861 "lookupfp", FuncWrapper);
862
863 // Check to see if we already looked up the value.
864 Value *CachedVal = new LoadInst(Cache, "fpcache", EntryBB);
865 Value *IsNull = new ICmpInst(*EntryBB, ICmpInst::ICMP_EQ, CachedVal,
866 NullPtr, "isNull");
867 BranchInst::Create(LookupBB, DoCallBB, IsNull, EntryBB);
868
869 // Resolve the call to function F via the JIT API:
870 //
871 // call resolver(GetElementPtr...)
872 CallInst *Resolver =
873 CallInst::Create(resolverFunc, ResolverArgs, "resolver", LookupBB);
874
875 // Cast the result from the resolver to correctly-typed function.
876 CastInst *CastedResolver =
877 new BitCastInst(Resolver,
878 PointerType::getUnqual(F->getFunctionType()),
879 "resolverCast", LookupBB);
880
881 // Save the value in our cache.
882 new StoreInst(CastedResolver, Cache, LookupBB);
883 BranchInst::Create(DoCallBB, LookupBB);
884
885 PHINode *FuncPtr = PHINode::Create(NullPtr->getType(), 2,
886 "fp", DoCallBB);
887 FuncPtr->addIncoming(CastedResolver, LookupBB);
888 FuncPtr->addIncoming(CachedVal, EntryBB);
889
890 // Save the argument list.
891 std::vector<Value*> Args;
892 for (Function::arg_iterator i = FuncWrapper->arg_begin(),
893 e = FuncWrapper->arg_end(); i != e; ++i)
894 Args.push_back(i);
895
896 // Pass on the arguments to the real function, return its result
897 if (F->getReturnType()->isVoidTy()) {
898 CallInst::Create(FuncPtr, Args, "", DoCallBB);
899 ReturnInst::Create(F->getContext(), DoCallBB);
900 } else {
901 CallInst *Call = CallInst::Create(FuncPtr, Args,
902 "retval", DoCallBB);
903 ReturnInst::Create(F->getContext(),Call, DoCallBB);
904 }
905
906 // Use the wrapper function instead of the old function
907 F->replaceAllUsesWith(FuncWrapper);
908 }
909 }
910 }
911 }
912
913 if (verifyModule(*Test) || verifyModule(*Safe)) {
914 errs() << "Bugpoint has a bug, which corrupted a module!!\n";
915 abort();
916 }
917 }
918
919
920
921 /// TestCodeGenerator - This is the predicate function used to check to see if
922 /// the "Test" portion of the program is miscompiled by the code generator under
923 /// test. If so, return true. In any case, both module arguments are deleted.
924 ///
TestCodeGenerator(BugDriver & BD,Module * Test,Module * Safe,std::string & Error)925 static bool TestCodeGenerator(BugDriver &BD, Module *Test, Module *Safe,
926 std::string &Error) {
927 CleanupAndPrepareModules(BD, Test, Safe);
928
929 sys::Path TestModuleBC("bugpoint.test.bc");
930 std::string ErrMsg;
931 if (TestModuleBC.makeUnique(true, &ErrMsg)) {
932 errs() << BD.getToolName() << "Error making unique filename: "
933 << ErrMsg << "\n";
934 exit(1);
935 }
936 if (BD.writeProgramToFile(TestModuleBC.str(), Test)) {
937 errs() << "Error writing bitcode to `" << TestModuleBC.str()
938 << "'\nExiting.";
939 exit(1);
940 }
941 delete Test;
942
943 FileRemover TestModuleBCRemover(TestModuleBC.str(), !SaveTemps);
944
945 // Make the shared library
946 sys::Path SafeModuleBC("bugpoint.safe.bc");
947 if (SafeModuleBC.makeUnique(true, &ErrMsg)) {
948 errs() << BD.getToolName() << "Error making unique filename: "
949 << ErrMsg << "\n";
950 exit(1);
951 }
952
953 if (BD.writeProgramToFile(SafeModuleBC.str(), Safe)) {
954 errs() << "Error writing bitcode to `" << SafeModuleBC.str()
955 << "'\nExiting.";
956 exit(1);
957 }
958
959 FileRemover SafeModuleBCRemover(SafeModuleBC.str(), !SaveTemps);
960
961 std::string SharedObject = BD.compileSharedObject(SafeModuleBC.str(), Error);
962 if (!Error.empty())
963 return false;
964 delete Safe;
965
966 FileRemover SharedObjectRemover(SharedObject, !SaveTemps);
967
968 // Run the code generator on the `Test' code, loading the shared library.
969 // The function returns whether or not the new output differs from reference.
970 bool Result = BD.diffProgram(BD.getProgram(), TestModuleBC.str(),
971 SharedObject, false, &Error);
972 if (!Error.empty())
973 return false;
974
975 if (Result)
976 errs() << ": still failing!\n";
977 else
978 errs() << ": didn't fail.\n";
979
980 return Result;
981 }
982
983
984 /// debugCodeGenerator - debug errors in LLC, LLI, or CBE.
985 ///
debugCodeGenerator(std::string * Error)986 bool BugDriver::debugCodeGenerator(std::string *Error) {
987 if ((void*)SafeInterpreter == (void*)Interpreter) {
988 std::string Result = executeProgramSafely(Program, "bugpoint.safe.out",
989 Error);
990 if (Error->empty()) {
991 outs() << "\n*** The \"safe\" i.e. 'known good' backend cannot match "
992 << "the reference diff. This may be due to a\n front-end "
993 << "bug or a bug in the original program, but this can also "
994 << "happen if bugpoint isn't running the program with the "
995 << "right flags or input.\n I left the result of executing "
996 << "the program with the \"safe\" backend in this file for "
997 << "you: '"
998 << Result << "'.\n";
999 }
1000 return true;
1001 }
1002
1003 DisambiguateGlobalSymbols(Program);
1004
1005 std::vector<Function*> Funcs = DebugAMiscompilation(*this, TestCodeGenerator,
1006 *Error);
1007 if (!Error->empty())
1008 return true;
1009
1010 // Split the module into the two halves of the program we want.
1011 ValueToValueMapTy VMap;
1012 Module *ToNotCodeGen = CloneModule(getProgram(), VMap);
1013 Module *ToCodeGen = SplitFunctionsOutOfModule(ToNotCodeGen, Funcs, VMap);
1014
1015 // Condition the modules
1016 CleanupAndPrepareModules(*this, ToCodeGen, ToNotCodeGen);
1017
1018 sys::Path TestModuleBC("bugpoint.test.bc");
1019 std::string ErrMsg;
1020 if (TestModuleBC.makeUnique(true, &ErrMsg)) {
1021 errs() << getToolName() << "Error making unique filename: "
1022 << ErrMsg << "\n";
1023 exit(1);
1024 }
1025
1026 if (writeProgramToFile(TestModuleBC.str(), ToCodeGen)) {
1027 errs() << "Error writing bitcode to `" << TestModuleBC.str()
1028 << "'\nExiting.";
1029 exit(1);
1030 }
1031 delete ToCodeGen;
1032
1033 // Make the shared library
1034 sys::Path SafeModuleBC("bugpoint.safe.bc");
1035 if (SafeModuleBC.makeUnique(true, &ErrMsg)) {
1036 errs() << getToolName() << "Error making unique filename: "
1037 << ErrMsg << "\n";
1038 exit(1);
1039 }
1040
1041 if (writeProgramToFile(SafeModuleBC.str(), ToNotCodeGen)) {
1042 errs() << "Error writing bitcode to `" << SafeModuleBC.str()
1043 << "'\nExiting.";
1044 exit(1);
1045 }
1046 std::string SharedObject = compileSharedObject(SafeModuleBC.str(), *Error);
1047 if (!Error->empty())
1048 return true;
1049 delete ToNotCodeGen;
1050
1051 outs() << "You can reproduce the problem with the command line: \n";
1052 if (isExecutingJIT()) {
1053 outs() << " lli -load " << SharedObject << " " << TestModuleBC.str();
1054 } else {
1055 outs() << " llc " << TestModuleBC.str() << " -o " << TestModuleBC.str()
1056 << ".s\n";
1057 outs() << " gcc " << SharedObject << " " << TestModuleBC.str()
1058 << ".s -o " << TestModuleBC.str() << ".exe";
1059 #if defined (HAVE_LINK_R)
1060 outs() << " -Wl,-R.";
1061 #endif
1062 outs() << "\n";
1063 outs() << " " << TestModuleBC.str() << ".exe";
1064 }
1065 for (unsigned i = 0, e = InputArgv.size(); i != e; ++i)
1066 outs() << " " << InputArgv[i];
1067 outs() << '\n';
1068 outs() << "The shared object was created with:\n llc -march=c "
1069 << SafeModuleBC.str() << " -o temporary.c\n"
1070 << " gcc -xc temporary.c -O2 -o " << SharedObject;
1071 if (TargetTriple.getArch() == Triple::sparc)
1072 outs() << " -G"; // Compile a shared library, `-G' for Sparc
1073 else
1074 outs() << " -fPIC -shared"; // `-shared' for Linux/X86, maybe others
1075
1076 outs() << " -fno-strict-aliasing\n";
1077
1078 return false;
1079 }
1080